mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
Update Azure SQL server guide (#20705)
* docs(database-access): update Azure SQL server guide * make bullet notation consistent * consistent parentheticals * copy edits * optimize image for web * feat(docs): update system managed identity image --------- Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
This commit is contained in:
parent
f00f35bfc8
commit
2ec17fd7e6
Binary file not shown.
After Width: | Height: | Size: 106 KiB |
|
@ -62,7 +62,88 @@ login to SQL Server.
|
|||
|
||||
![Azure SQL Server Azure Active Directory admin page](../../../img/database-access/guides/sqlserver/azure-set-ad-admin.png)
|
||||
|
||||
## Step 4/9. Configure Azure Managed Identities
|
||||
## Step 4/9. Configure IAM permissions for Teleport
|
||||
|
||||
The Teleport Database Service needs Azure IAM permissions to:
|
||||
- Discover and register SQL Server instances.
|
||||
- Fetch virtual machine managed identities used for login.
|
||||
|
||||
### Configure an Azure service principal
|
||||
|
||||
Teleport requires the following permissions:
|
||||
- `<resource-type>/read` permissions for discovery, but only for the resource
|
||||
types you have. For example, `Microsoft.Sql/managedInstances/read`.
|
||||
- `Microsoft.Compute/virtualMachines/read`.
|
||||
|
||||
Here is a sample role definition allowing Teleport to read **Azure SQL Servers**
|
||||
and **Azure SQL Managed Instances**:
|
||||
|
||||
```json
|
||||
{
|
||||
"properties": {
|
||||
"roleName": "SQLServerAutoDiscovery",
|
||||
"description": "Allows Teleport to discover SQL Servers and SQL Managed Instances.",
|
||||
"assignableScopes": [
|
||||
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
],
|
||||
"permissions": [
|
||||
{
|
||||
"actions": [
|
||||
"Microsoft.Sql/managedInstances/read",
|
||||
"Microsoft.Sql/servers/read",
|
||||
"Microsoft.Compute/virtualMachines/read"
|
||||
],
|
||||
"notActions": [],
|
||||
"dataActions": [],
|
||||
"notDataActions": []
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The `assignableScopes` field above includes a subscription
|
||||
(`/subscriptions/<subscription>`), allowing the role to be assigned at any
|
||||
resource scope within that subscription or the subscription scope itself.
|
||||
If you want to further limit the `assignableScopes`, you can use a resource
|
||||
group (`/subscriptions/<subscription>/resourceGroups/<group>`) or a management
|
||||
group (`/providers/Microsoft.Management/managementGroups/<group>`) instead.
|
||||
|
||||
Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade)
|
||||
page and select a subscription.
|
||||
|
||||
Click on **Access control (IAM)** in the subscription and select **Add** >
|
||||
**Add custom role**:
|
||||
|
||||
![IAM custom role](../../../img/database-access/guides/azure/add-custom-role@2x.png)
|
||||
|
||||
In the custom role creation page, click the **JSON** tab and click **Edit**,
|
||||
then paste the JSON example and replace the subscription in `assignableScopes`
|
||||
with your own subscription id:
|
||||
|
||||
![Create JSON role](../../../img/database-access/guides/sqlserver/create-role-from-json.png)
|
||||
|
||||
## Step 5/9. Configure virtual machine identities
|
||||
|
||||
In the Teleport Database Service virtual machine's **Identity**
|
||||
section, enable the system assigned identity. This is used by Teleport to access
|
||||
Azure APIs.
|
||||
|
||||
![System assigned identity page](../../../img/database-access/guides/sqlserver/system-managed-identity.png)
|
||||
|
||||
To grant Teleport permissions, the custom role you created must be assigned to
|
||||
the virtual machine system assigned identity. On the same page, click on the **Azure
|
||||
role assignments**, then on **Add role assignment**. Select the custom role and
|
||||
save.
|
||||
|
||||
<Admonition type="note" title="Azure Role Assignments">
|
||||
The role assignment should be at a high enough scope to allow the Teleport Database Service to discover
|
||||
all matching databases. See
|
||||
[Identify the needed scope](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-3-identify-the-needed-scope)
|
||||
for more information about Azure scopes and creating role assignments.
|
||||
</Admonition>
|
||||
|
||||
### Login identities
|
||||
|
||||
The Teleport Database Service needs access tokens from Azure AD to authenticate with
|
||||
SQL Server databases.
|
||||
|
@ -82,7 +163,7 @@ created:
|
|||
|
||||
![Azure Virtual machine user managed identities page](../../../img/database-access/guides/sqlserver/azure-attach-managed-identity-vm.png)
|
||||
|
||||
## Step 5/9. Enable managed identities login on SQL Server
|
||||
## Step 6/9. Enable managed identities login on SQL Server
|
||||
|
||||
Azure AD SQL Server integration uses database-level authentication (contained
|
||||
users), meaning we must create a user for our identities on each database we
|
||||
|
@ -105,7 +186,7 @@ the user as a member of the `db_datareader` role:
|
|||
ALTER ROLE db_datareader ADD MEMBER [sqlserver-identity];
|
||||
```
|
||||
|
||||
## Step 6/9. Create a Database Service configuration
|
||||
## Step 7/9. Create a Database Service configuration
|
||||
|
||||
Install Teleport on the host where you will run the Teleport Database Service:
|
||||
|
||||
|
@ -138,71 +219,6 @@ The command will generate a Database Service configuration with Azure SQL
|
|||
Server auto-discovery enabled in the `eastus` region and place it at the
|
||||
`/etc/teleport.yaml` location.
|
||||
|
||||
## Step 7/9. Configure IAM permissions for Teleport
|
||||
|
||||
The Teleport Database Service needs Azure IAM permissions to discover and
|
||||
register SQL Server instances.
|
||||
|
||||
### Configure an Azure service principal
|
||||
|
||||
(!docs/pages/includes/database-access/azure-configure-service-principal.mdx!)
|
||||
|
||||
### Create a custom role
|
||||
|
||||
Teleport requires `<resource-type>/read` permissions for discovery, but
|
||||
only for the resource types you have.
|
||||
|
||||
Here is a sample role definition allowing Teleport to read **Azure SQL Servers**
|
||||
and **Azure SQL Managed Instances**:
|
||||
|
||||
```json
|
||||
{
|
||||
"properties": {
|
||||
"roleName": "SQLServerAutoDiscovery",
|
||||
"description": "Allows Teleport to discover SQL Servers and SQL Managed Instances.",
|
||||
"assignableScopes": [
|
||||
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
],
|
||||
"permissions": [
|
||||
{
|
||||
"actions": [
|
||||
"Microsoft.Sql/managedInstances/read",
|
||||
"Microsoft.Sql/servers/read"
|
||||
],
|
||||
"notActions": [],
|
||||
"dataActions": [],
|
||||
"notDataActions": []
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The `assignableScopes` field above includes a subscription
|
||||
`/subscriptions/<subscription>`, allowing the role to be assigned at any
|
||||
resource scope within that subscription or the subscription scope itself.
|
||||
If you want to further limit the `assignableScopes`, you can use a resource
|
||||
group (`/subscriptions/<subscription>/resourceGroups/<group>`) or a management
|
||||
group (`/providers/Microsoft.Management/managementGroups/<group>`) instead.
|
||||
|
||||
Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade)
|
||||
page and select a subscription.
|
||||
|
||||
Click on **Access control (IAM)** in the subscription and select **Add** >
|
||||
**Add custom role**:
|
||||
|
||||
![IAM custom role](../../../img/database-access/guides/azure/add-custom-role@2x.png)
|
||||
|
||||
In the custom role creation page, click the **JSON** tab and click **Edit**,
|
||||
then paste the JSON example and replace the subscription in `assignableScopes`
|
||||
with your own subscription id:
|
||||
|
||||
![Create JSON role](../../../img/database-access/guides/sqlserver/create-role-from-json.png)
|
||||
|
||||
### Create a role assignment for the Teleport Database Service principal
|
||||
|
||||
(!docs/pages/includes/database-access/azure-assign-service-principal.mdx!)
|
||||
|
||||
## Step 8/9. Start Teleport Database Service
|
||||
|
||||
Start the Database Service:
|
||||
|
@ -273,7 +289,7 @@ connect with is not attached to the Teleport Database Service virtual machine.
|
|||
You can navigate to the [Virtual Machines](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) page within Azure Portal,
|
||||
open the **Teleport instance**, **Identity** section, and choose **User
|
||||
assigned** to see all identities you can connect with. If you don’t see your
|
||||
identity check [Step 4](#step-49-configure-azure-managed-identities) to see how
|
||||
identity check [Step 4](#login-identities) to see how
|
||||
to add it.
|
||||
|
||||
### Login failed for the user
|
||||
|
@ -281,9 +297,29 @@ to add it.
|
|||
When connecting to your database, and you see the error `mssql: login error: Login
|
||||
failed for user '<token-identified principal>'`, it means your managed identity
|
||||
login is not present on the SQL database. You’ll need to create their users as
|
||||
described in [Step 5](#step-59-enable-managed-identities-login-on-sql-server).
|
||||
described in [Step 6](#step-69-enable-managed-identities-login-on-sql-server).
|
||||
Remember: you must create the users on all databases you want to connect.
|
||||
|
||||
### Timeout connecting to the database
|
||||
|
||||
If you receive the error `i/o timeout issue` when connecting to your database,
|
||||
please check if the Teleport Database service can reach the database on
|
||||
Azure.
|
||||
|
||||
In case your database is public, you can enable it to receive connections
|
||||
from Azure services without creating firewall rules: Go to your database page,
|
||||
**Network** tab, and at the bottom of the page in the **Exceptions** section
|
||||
check the option "Allow Azure services and resources to access this server" and
|
||||
save.
|
||||
|
||||
If your database is not public and it is using private endpoints, ensure that
|
||||
they're on the same VPC, or if the Teleport VM VPC is peering with the database
|
||||
one.
|
||||
|
||||
To check if the VM has access, you can do the following on the VM:
|
||||
- Using `netcat`: `nc -v youradatabase.database.windows.net 1433`
|
||||
- Using `telnet`: `telnet yourdatabase.database.windows.net 1433`
|
||||
|
||||
## Next steps
|
||||
|
||||
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
|
||||
|
|
Loading…
Reference in a new issue